[OpenAFS] Cron jobs with access to AFS

Mark Montague markmont@umich.edu
Thu, 19 Feb 2004 10:40:52 -0500 (EST)


On Wed, 18 Feb 2004, Lukas Kubin wrote:

> Now I can't succeed doing the same with cron jobs. Ie. I need cron jobs
> to have access to folders with user like "cron.hostname" on their ACLs.

Here's how we do it (assuming "hostname" is a fully qualified
domain name):

  - create a Kerberos 5 principal cron/hostname@OURREALM

  - create a keytab entry for cron/hostname in a file readable
    only by the user who is going to run the cron job
    (/etc/krb5.keytab is fine if it is root's cron job).

  - create an AFS user cron.hostname corresponding to the
    Kerberos 5 principal above (using the "pts create" command).

  - Add cron.hostname to the appropriate AFS ACLs.

  - Create a crontab entry such as:
    5 5 * * 2 /usr/vice/bin/pagsh -c "/path/to/script --option1 --option2" 2>&1

  - /path/to/script is a file containing the following (in whatever
    your favorite language is):

        KRB5CCNAME=/ticket/krb5cc_CRONJOB_NAME_$$
        export KRB5CCNAME
        HOSTNAME=`/bin/hostname`
        kinit -A -5 -k cron/${HOSTNAME}@OURREALM # Can check return code for error
        aklog -c ourcell  # Can check return code for error
        # ... do whatever needs to be done here...
        # Cleanup:
        unlog
        kdestroy -q
        rm $KRB5CCNAME  # Just in case kdestroy didn't get it
        unset KRB5CCNAME

This works for us with cron using PAM under Solaris 8.


> How do you enable common users to run their own cron jobs with access to
> their AFS homes?

We've never had a user want to do this.  But if had someone,
say joeuser, who wanted to, we'd follow the procedure above
above using "joeuser" in place of the fully qualified domain name
of the machine (Kerberos principal cron/joeuser@OURREALM,
AFS user cron.joeuser).

                Mark Montague
                LS&A Information Technology
                markmont@umich.edu